Privacy Notice

Last updated: December 2025

Introduction

This Privacy Policy explains how NetNodes Limited (“NetNodes”, “we”, “our”, “us”), trading as PassFlow, collects, uses, and protects personal information when you use our websites, applications, and digital pass services (collectively, the “Services”).

This policy applies globally to users in the UK, EU/EEA, the United States, and other regions.

PassFlow may be used by organisations to distribute and manage digital passes (e.g., access passes, membership passes, event passes). When organisations store or manage end-user data, NetNodes acts as a Data Processor.

1. Who We Are

NetNodes Limited is the Data Controller for data collected directly (e.g., website usage, registration).

PassFlow customers are Data Controllers for information they upload or manage within PassFlow.

2. Information We Collect

A. Information You Provide

Account information

• Name, business details, email, phone number, login credentials.

Payment information

• Handled by third-party payment processors. NetNodes does not store full payment card numbers.

Communications

• Support messages, contact details, attachments, email open confirmations.

Data entered by PassFlow customers

This may include:

• Name
• Email address
• Phone number
• Member ID / customer ID
• Pass metadata
• Images or logos
• Optional personalisation elements
• Apple Wallet / Google Wallet identifiers

This is controlled by the customer.

B. Information We Collect Automatically

• Usage logs (API calls, admin actions)
• Pass distribution events (e.g., pass created, updated, revoked)
• Technical information: IP address, browser type, operating system
• Cookie and tracking data (where lawful)

C. Information from Third Parties

• Identity providers
• Integration partners
• Publicly available information

3. How We Use Information

To:

• Provide, operate, and secure PassFlow
• Support digital pass creation and distribution
• Manage Apple/Google Wallet integrations
• Improve and enhance the platform
• Provide customer support
• Process payments
• Prevent abuse or fraud
• Conduct anonymised analytics
• Communicate important account notices and service messages

Marketing communications are optional and require consent where required by law.

4. How We Share Information

We may share personal data with:

• Sub-processors (hosting, messaging, infrastructure partners)
• Apple and Google as required for wallet pass issuance
• Analytics providers (with consent where required)
• Legal authorities, when required
• Potential acquirers, as part of a transaction
• Other parties, only where anonymised/aggregated

We do not, and never will sell personal data.

5. Legal Basis for Processing

May include:

• Contractual necessity
• Legitimate interests
• Consent (where legally required)
• Legal obligations
• Vital interests

PassFlow customers determine the lawful basis for their use of user data.

6. Your Rights (UK/EU/EEA/Norway)

You may have rights to access, correct, delete, object, restrict, or port your data.

Requests relating to PassFlow customer–stored data must be made to the Data Controller (the customer).

Requests about data collected directly by NetNodes can be made to: privacy@netnodes.net

7. Rights for California / US Users

We comply with relevant state-level privacy laws (e.g., CCPA/CPRA).

You may have rights to access, delete, request information about categories of data, and opt out of sale/sharing.

We do not and never will sell your data.

8. International Transfers

Transfers outside the UK/EEA are protected by:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Additional safeguards

9. Security

Security measures include:

• Encryption
• Access controls
• MFA
• Infrastructure hardening
• Logging & monitoring
• Periodic penetration testing
• Strong sub-processor review controls

10. Data Retention

We retain personal data only as long as necessary.

PassFlow customers may set their own data retention periods for passholder data.

11. Children’s Privacy

PassFlow is not intended for children under 16 (or under local minimum age thresholds).

We do not knowingly collect such information.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated appropriately.

13. Contact Us

If you have questions about this policy or your personal data, please contact us at privacy@netnodes.net